Cryptography is a key technology in electronic security systems. If cryptosystems are not designed properly, they may leak information that is correlated to a secret key. Attackers who can access this leaked information may be able to recover the secret key and break the integrity of the cryptosystem. Attacks that use the power consumption of the cryptosystem as the leaked side-channel information are of significant concern, for example, in smart cards and other complex systems-on-chip or systems-on-package that use cryptographic hardware accelerator modules. Attacks based on power consumption analysis are called power analysis attacks (PAAs). PAAs base their success on the electromagnetic radiation effect of the power supply of the integrated circuit (IC) and exploit current consumption dependency on cryptographic data and algorithm.
Various software and hardware based countermeasures have been proposed for dealing with power analysis attacks. Software based countermeasures use techniques such as: code and key randomization, constant execution path algorithms, symmetric cryptographic algorithm, and blinding signature method. Hardware countermeasures are mainly based on current filtering techniques, current balancing in the system, desynchronization (generating current randomness within the current traces), or current injection (noise insertion).
Current randomization or masking methods need to generate enough current to cover the maximum current peaks of a microcontroller, microprocessor, or other CPU and memory. This is impractical and it can be damaging to the IC due to increased heat in the die. Also, the use of external or internal filtering capacitors does not eliminate data to current dependency.
Embedded systems that are subject to PAAs are widely used in applications that require support for security (e.g., smart-cards, PDAs, mobile phones, TV subscription boxes, VOIP phones, and so on). Security is becoming a new metric dimension in the design process of embedded systems, along with other metrics such as cost, performance, and power.
In general, an encryption algorithm and a decryption algorithm plus the description on the format of messages and keys form part of a cryptographic system (or a cryptosystem). A cryptosystem uses an encryption/decryption secret key to encrypt/decrypt plaintext/ciphertext messages and generate ciphertext/plaintext messages. Cryptosystems can be implemented in software, hardware, or a combination of both, and normally they are part of a larger embedded system. A cryptosystem must be able to protect the secret keys; otherwise, the security of the entire system is compromised.
As mentioned previously, the dependency of the power emanations to data and to arrival time of the encrypted data can be observed and linked to the input data and the secret key. Attacks that use this additional information and link it to the secret key of a cryptosystem are referred to as side-channel attacks. The main side-channel attacks include timing attacks, simple and differential power (SPA and DPA) attacks, and simple and differential electromagnetic attacks (SEMA and DEMA).
In these attacks, power consumption is monitored by using current sensors or by measuring the voltage drop across a small resistor placed in series with the power supply path of the cryptosystem. A DPA attack is one of the most efficient power analysis attacks. It relies on statistical analysis and error correction to extract information from power consumption that is correlated to the secret key. EM attacks exploit electromagnetic emanation resulting from data processing operations in CMOS devices. EM signals propagate via radiation and conduction (often by a complex combination of both) and can be captured by field probes and current probes. It is possible to combine power analysis attacks with EM emanation attacks and develop powerful multi-channel attacks.
On-chip power supply current sensors can be used for several purposes, including, for example, protecting confidentiality of cryptosystems, testing complex ICs, and improving battery lifetime in portable devices.
As discussed above, an increasing number of electronic systems deal with security issues. Not only are high-end systems (network routers, gateways, firewalls, and web servers) affected; so are low-end systems such as wireless handsets, portable storage devices, sensor networks, and smart cards. Using cryptanalytic techniques based on power analysis makes it possible to extract secret information and break the security by monitoring the power consumed by a cryptosystem. An on-chip current sensor can be used in shaping the power supply current to mask power dependent cryptographic information.
Many testing techniques for complex digital and mixed-signal circuits are based on current measurement. Typically, faulty circuits are detected by measuring the current drawn under certain input conditions. Similar methods can be applied also for testing or pre-screening analog circuits. In complex ICs on-chip current-measurement-based testing techniques can be used not only to detect malfunctions, but also to foresee possible failures during normal operation.
Furthermore, increasing battery lifetime is one of the main goals in designing portable systems. Battery discharge time does not exclusively depend on the average current (i.e., on the average power dissipation), but also on the current temporal profile. Qualitatively, a smooth profile will give a longer lifetime than a bumpy profile. On-chip current sensing can be used to improve the power supply current profile in complex mixed-signal ICs and increase battery lifetime.
Improvements and alternatives to methods and devices incorporating cryptographic countermeasures are desirable. Similarly, improvements and alternatives to IC current sensors are desirable.